Hi, Jorgen Ottosson wrote: > $ gpg SHA1SUMS.sign > Detached signature. > Please enter name of data file: debian-9.4.0-amd64-xfce-CD-1.iso > gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B > gpg: BAD signature from "Debian CD signing key <debian-cd@lists.debian.org>"
This is simply the wrong data file. *SUMS.sign exists to verify *SUMS. *SUMS exists to verify the files which it lists by its content (e.g. *.iso or *.jigdo). I just tried successfully: $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS ... $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/SHA1SUMS.sign ... $ gpg --keyserver keyring.debian.org --verify SHA1SUMS.sign SHA1SUMS gpg: Signature made Fri 16 Mar 2018 09:50:55 PM CET using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Important is that "Primary key fingerprint" is one of those listed on https://www.debian.org/CD/verify Have a nice day :) Thomas
